System, method and computer program product for detecting policy violations

ABSTRACT

A policy violation detection computer-implemented method, system, and computer program product, includes extracting a policy activity from a policy, the policy activity including an actor in the policy, an object of the policy, an action of the policy, and policy scope metadata, capturing a transaction by a user including metadata of the transaction, translating the transaction by the user into an actor in the transaction, an action of the transaction, and an object of the transaction, and alerting the user of a policy violation by navigating a knowledge graph is-a hierarchy to relate the actor in the transaction to the actor in the policy, the object of the transaction to an object of the policy, and the action of the transaction to an action of the policy activity.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application is a Continuation Application of U.S. patentapplication Ser. No. 15/290,658, filed on Oct. 11, 2016, the entirecontents of which are hereby incorporated by reference.

BACKGROUND

The present invention relates generally to a policy violation detectionmethod, and more particularly, but not by way of limitation, to asystem, method, and a computer program product for detecting real-timesemantic policy violations for a possible future activity using recenttransactions.

People are often subject to policies related to an activity. Thesepolicies may be formulated and communicated by a company prior to thesepeople performing or completing the activity or may be communicatedduring the activity. For example, before booking a flight, the user maybe given the cancellation policy to review which will be in effect fromwhen they book the flight to when they check in for the flight. Otherpolicies, such as the baggage policy of the respective airline, may notbe communicated directly but can be looked up by the traveler.

However, policies are stated in natural language and thus could beambiguous or difficult to understand. Further, policies may be stated incomplex “legalese” or company-specific jargon. Policies also may be verylong and take users a long time to read. Also, users may forget aboutthe policies because there may be a long time between the issuance ofthe policy and the policy taking effect (e.g., booking a flight andtaking the flight some weeks or months later). Or, policies may beimplicit or have to be looked up and thus it is easy to violate them.Further, policies are concerned with future actions. In general, peoplelike to be alerted to policies that both are situationally relevant andsemantically relevant and warn against possible future actions that theuser might perform that would violate the policy.

There is a need in the art to alert users of potential policy violationsbased on those users' recent transactions.

SUMMARY

In an exemplary embodiment, the present invention can provide acomputer-implemented policy violation detection method, the methodincluding extracting a policy activity from a policy, the policyactivity including an actor in the policy, an object of the policy, anaction of the policy, and policy scope metadata, capturing a transactionby a user including metadata of the transaction, translating thetransaction by the user into an actor in the transaction, an action ofthe transaction, and an object of the transaction, and alerting the userof a policy violation by navigating a knowledge graph is-a hierarchy torelate the actor in the transaction to the actor in the policy, theobject of the transaction to an object of the policy, and the action ofthe transaction to an action of the policy activity.

One or more other exemplary embodiments include a computer programproduct and a system.

Other details and embodiments of the invention will be described below,so that the present contribution to the art can be better appreciated.Nonetheless, the invention is not limited in its application to suchdetails, phraseology, terminology, illustrations and/or arrangements setforth in the description or shown in the drawings. Rather, the inventionis capable of embodiments in addition to those described and of beingpracticed and carried out in various ways and should not be regarded aslimiting.

As such, those skilled in the art will appreciate that the presentinvention may readily be utilized as a basis for the designing of otherstructures, methods and systems. It is important, therefore, that theclaims be regarded as including equivalent constructions within thespirit and scope of the present invention.

BRIEF DESCRIPTION OF THE DRAWINGS

Aspects of the invention will be better understood from the followingdetailed description of the exemplary embodiments of the invention withreference to the drawings, in which:

FIG. 1 exemplarily shows a high-level flow chart for a policy violationdetection method 100;

FIG. 2 depicts a cloud-computing node 10 according to an embodiment ofthe present invention;

FIG. 3 depicts a cloud-computing environment 50 according to anembodiment of the present invention; and

FIG. 4 depicts abstraction model layers according to an embodiment ofthe present invention.

DETAILED DESCRIPTION

The invention will now be described with reference to FIG. 1-4, in whichlike reference numerals refer to like parts throughout. It is emphasizedthat, according to common practice, the various features of the drawingare not necessarily to scale. On the contrary, the dimensions of thevarious features can be arbitrarily expanded or reduced for clarity.

By way of introduction of the example depicted in FIG. 1, a policyviolation detection method 100 embodiment according to the presentinvention can include various steps to extract a policy activity of apolicy and run a rule-based inference model to predict violations of thepolicy based on user actions. By way of introduction of the exampledepicted in FIG. 2, one or more computers of a computer system 12according to an embodiment of the present invention can include a memory28 having instructions stored in a storage system to perform the stepsof FIG. 1.

Thus, a policy violation detection method 100 according to an embodimentof the present invention may act in a more sophisticated, useful andcognitive manner, giving the impression of cognitive mental abilitiesand processes related to knowledge, attention, memory, judgment andevaluation, reasoning, and advanced computation. In other words, a“cognitive” system can be said to be one that possesses macro-scaleproperties—perception, goal-oriented behavior, learning/memory andactions generally recognized as cognitive.

Although one or more embodiments (see e.g., FIGS. 2-4) may beimplemented in a cloud environment 50 (see e.g., FIG. 3), it isnonetheless understood that the present invention can be implementedoutside of the cloud environment.

Referring now to FIG. 1, in step 101, a policy activity is extractedfrom a database 140 with a policy action, actor, and an object withpolicy scope metadata (e.g., location, time, etc.) from a policy. Typesof the policy can include, for example, privacy policies, securitypolicies, terms of use policies, sales policies, etc. That is, policyactivity is extracted from a policy, the policy activity including anactor in the policy, an object of the policy, an action of the policy,and policy scope metadata. For example, policy activity can come fromnatural language processing of a policy documents, such as an airlinebaggage policy or a TSA policy.

In step 102, transactions by the user are captured from an action input130 including metadata (e.g., location, time, etc.). The capturingfeature is turned on and off depending on the test for the policy scope(e.g., checking location within policy location, time within policytime, etc. A transaction can include, for example, a credit cardtransaction, a direct input of the transaction, an e-mail receiptindicating a transaction, registering for an event as extracted fromcalendar data, etc.

In step 103, the captured transactions are translated into naturallanguage. The user's name into an actor in the transaction, the type oftransaction (buying, selling, attending, etc.) into an action of thetransaction, and the object as an object of the transaction. Forexample, if the transaction extracted in step 102 includes a credit cardstatement of “Purchase ID: 2564; Item: 104; Cost: $6.49”, the creditcard transaction is translated to a natural language sentence (“John Doepurchased a Large Iced Coffee”). The translation may involve looking upItem identifiers or numbers in an inventory database. For example, “item104” may be a Large Iced Coffee in the database. The transaction mayalso be translated into a semi-structured transaction language employingnatural language such as [actor: “Joe Doe”, action: purchase”, object:“Large Iced Coffee”]. The translation may involve listing synonyms. Thatis, there are many types of recent electronic transactions that mightindicate an action that could violate a policy, including buytransactions e.g., buying a coffee), events (e.g., registeringattendance at a wine tasting), etc. Each transaction is translated intonatural language in order to find similarities between transactions andthe policy because these policies are created by different organizationsfor different purposes.

Because these policies may be created by different organizations fordifferent purposes, natural language may be the best way to compare. Thetranslation may involve more than an actor, object, and action. It mayinvolve parsing prepositional phrases such as “at the airport” into alocation, “at 2 PM” into a time, and other common elements of dependencyparsing or conceptual parsing. Thus, the user is alerted of a policyviolation by navigating a knowledge graph is-a hierarchy to relate theactor in the transaction to the actor in the policy, the object of thetransaction to an object of the policy, and the action of thetransaction to an action of the policy activity.

Translating the transactions into natural language is necessary to matchthe transactions with the policy when there is no agreement between theparties. For example, if the transaction is from a Coffee Company whilethe policy is from an Airline, natural language can be used to compareboth even when the Coffee Company and the Airline have to agreement toshare and update Airline policies according to the Coffee Companyinventory, possible Coffee Company customer actions, and possible CoffeeCompany customers. Another reason for natural language is that users maywant to type in and express their future actions. This would be done innatural language. For example, a Sports Store customer may want to ask ahypothetical, such as “Can I bring my air rifle?”, Although othertechniques may be more difficult, the transactions can be translatedinto a plurality of types of languages in which the policy is translatedto the same language to extract similarities. In some embodiments, atransaction and a policy may be translated into a common language tofacilitate certain features of the present invention e.g., theextraction of similarities.

It is noted that the natural language may be English, French, Spanish,etc. That is, the natural language of the transaction is translated tothe same natural language of the policy.

In step 104, inference rules, if applicable, are run to project thetransaction forward. The model used is a raffle-based inference modelfor making inferences from an action to a state that are then testingagainst policies to see if there might be a violation. For example, theinference rules can include (A) if an object is acquired in an airport,then the actor may transport the object through security. Once the rulebinds to the action (a Large Iced Coffee is acquired in an airport) thenthe inference is made to generate the subsequent action (A large IcedCoffee transport through security). The knowledge graph is-a hierarchyis used to match the particular object (large Iced Coffee) to thegeneral object (liquid) and the subsequent action is generated for thegeneral object (liquid transport through security). This subsequentaction then violates the policy directly. (B) If someone performs anaction even without an object, then the action might enable anotheraction that could violate a policy in the future. (C) If someone changesan object or changes the state of an object, then that also may violatea policy in the future. Thus, in step 104, the inferences rules are runaccording to at least (A), (B), and (C) to make a prediction about apolicy violation. Policy violations can also be checked for locations(using spatial checking of shape bounds and other spatial constraints)and time (checking time line points and closed or open intervals orother temporal constraints).

By way of yet another example only, inference rules can be invoked ifsomeone (desires to) or does change an object or the state of an object.In this example, to check for a possible policy violation in the future.In some embodiments, in step 104, the inferences rules are run accordingin one or more of the foregoing examples to make a prediction about apolicy violation.

In step 105, a knowledge graph is navigated. Knowledge graphs includeconcepts in an “is-a hierarchy” to relate the types of user, action, andobject to the policy user, action, and object types, thereby to verifythat the object is related (semantically) to the transaction. Forexample, coffee is-a beverage is-a liquid. This “is-a hierarchy” can becreated using unsupervised learning methods (e.g., utilizingdistributional semantics) or accessed as particular relationship linkswithin an existing knowledge graph (e.g., hypernyms in Wordnet). It isimportant that there be enough coverage of the given objects and typesused in both the transactions and the policies and that the is-arelationship links be sufficiently correct for checking the policyviolations. Unique or new objects and unusual types may not be found ormay be found incorrect in some knowledge graphs, so new policies mayneed to be tested against captured or stored transactions to verify thatthe correct policy violations were detected and only the correct ones.

To match the transactions and the policy activities, the transaction iselaborated using the type of user (e.g., “customer”), object (e.g.,coffee), and action (e.g., “purchase”) and then matched against thepolicy. The type of actor performing the action may be described in manyways, some of which may violate the policy. Thus, a user profile may beused. For example, a Large Coffee Company may have a reward program thatenables customers to enter information about themselves or get this datafrom a social network. There is a table to map from attributes andvalues such as “gender: male” to possible knowledge graph nodes, such as“male” or “man”, that is, the table includes synonyms. Privacy concernsmay result in certain attributes being used and not others for policyviolation checking. For example, a person may have their religion in theprofile but not want to be alerted to policy violations involving thisattribute. The type of object may also be described in many ways. ALarge Iced Coffee is a beverage but also a drink. Thus, the system hasto navigate the knowledge graph is-a hierarchy from multiple conceptstarting points. In addition, the policy may be stated in generallanguage instead of talking specifically about each object. For example,the policy may have to do with liquids generally and not coffee per se.The knowledge graph preferably has these relationships already encoded.While matching the transactions and policies, the actor, object, andaction terms are expanded with synonyms in order to increase the matchprobability. The knowledge graph preferably has these synonyms alreadyencoded also. Thus, if the transaction contains the verb “purchase” butthe policy says “buy” the term expansion process with the synonyms willhelp to match these actions.

In step 106, if there is a match between the transaction and the policy(e.g., a policy violation), then each of the policies with potentialpolicy violations are filtered and ranked. That is, there may beconstraints that make it unsuitable to alert people to the policy. Forexample, a user's mobile profile may indicate they do not want to bealerted to certain types of policies or policy violations from certaincompanies or policy violations having to do with their user profile, theobjects they purchase, and so on. Following filtering, the policies areranked. Also, policies that are violated by multiple actions and/or area higher level of criticality (low/medium/high) will be ranked higher.Policies that are more specifically related to the actions are rankedhigher. For example, policy violations about beverages would be rankedhigher than policy violations about liquids generally or physicalobjects.

In step 107, the user is alerted of the policy violation. The user canbe provided with a list of policies. For each policy, a list ofviolations and potential violations can be provided. The violations caninclude the transaction text, the matching section of the policy text,and the link to the full policy, but also may include the matchingportion of the user's profile, the portion of the is-a hierarchy thatwas navigated, the location constraint violation, the time constraintviolation. These can be surfaced to the user to explain what the userdid that violated the policy. For potential violations, the inferencerules utilized and leading to the potential policy violation may also bepresented to the user as an explanation. Then the policy information maybe sent to a user on a personal device, such as a mobile phone,computer, tablet, watch, car computer, kiosk, etc.

Thereby, activities by the user are extracted from a policy stated innatural language with a (time/location) scope in which behavioral tracesof specific users involving specific actions on specific object(s) whenwithin the (time/location) scope are recorded, and the user is alertedof the policy's permissions for the activity if the types of actions inthe behavioral traces are semantically related to the types of actionsin the policy activity. “Semantically related” is established using aknowledge graph, a rule-based inference, or both, “actions” includetypes of users, types of actions, and/or types of objects, and“behavioral traces” are transactions, logs of user actions, results ofvideo analysis, etc.

In one exemplary embodiment, a traveler can download an application totheir mobile phone that asks for permission to access transactionreceipts from participating vendors and also to receive policies fromthe TSA. For example, a new policy just issued by the TSA that is apolicy on bringing liquids on the plane. It also has structured datawith who the policy impacts, (travelers), where (e.g., U.S. Airports)and when this policy is in effect (e.g., now and hereafter) (e.g.,extracted in step 101). A user performs a transaction at a coffee shopin which the transaction is captured including the metadata and thetransaction is translated into natural language of “buys a coffee”(e.g., in steps 102-103). The user receives an alert (e.g., step 107)with the new policy on their mobile device indicating that “you areallowed to bring a quart-sized bag of liquids, aerosols, gels, creamsand pastes in your early-on bag and through the checkpoint. These arelimited to travel-sized containers that are 3.4 ounces 000 milliliters)or less per item. Placing these items in the small bag and separatingfrom your carry-on baggage facilitates the screening process. Pack itemsthat are in containers larger than 3.4 ounces or 100 milliliters inchecked baggage”. That is, a rule-based inference is run and a knowledgegraph is navigated to determine a potential policy violation based onthe transaction of buying the coffee in which the policy that has beenviolated (or will be violated) is alerted to the user (e.g., steps104-107).

In some embodiments, a (non)-permitted activity can be identified with atype of object for a type of user from a natural language policy inwhich the transaction of a specific type of activity by a specific userinvolving a specific type of object is recorded such that an action isperformed to communicate the (non)-permitted activity to a user if aknowledge graph indicates that the specific type of object is of thegiven type.

In another embodiment, the action can include alerting the user, afriend of the user, a party to the transaction, or a party to thepolicy, or owner of the transaction, or owner of the policy. Also, theaction can involve preventing the transaction. Further, the transactioncan include a sale/purchase, invest/divest, borrowing, construction,accepting/declining an invitation, entering/leaving a location,entering/leaving a location during a time period, an action on acomputer system or device, a back-end action on a server a cloud-basedcomputing operation, etc. Moreover, a type can include a knownclassification of a string of tokens, where the type is in a graph,where the graph related types to one another and the instance is relatedto the type in the graph. The graph can include Wordnet, Freebase, Yago,or any other graph with types that classify string of natural languagetokens in text.

In an alternate embodiment, an inference rule is applied to thetransaction resulting in a potential future action which is then checkedfor a policy violation using the same methods as were applied to thetransaction itself, including by navigating the knowledge graph is-ahierarchy.

In some embodiments, the action, object, and action of the transactionare stated in natural language where the action is a verb or verb phraseof a sentence, the object is a noun or noun phrase object of the samesentence, and the actor is a noun or noun phrase subject of thatsentence.

Exemplary Aspects, Using a Cloud Computing Environment

Although this detailed description includes an exemplary embodiment ofthe present invention in a cloud computing environment, it is to beunderstood that implementation of the teachings recited herein are notlimited to such a cloud computing environment. Rather, embodiments ofthe present invention are capable of being implemented in conjunctionwith any other type of computing environment now known or laterdeveloped.

Cloud computing is a model of service delivery for enabling convenient,on-demand network access to a shared pool of configurable computingresources (e.g. networks, network bandwidth, servers, processing,memory, storage, applications, virtual machines, and services) that canbe rapidly provisioned and released with minimal management effort orinteraction with a provider of the service. This cloud model may includeat least five characteristics, at least three service models, and atleast four deployment models.

Characteristics are as follows:

On-demand self-service: a cloud consumer can unilaterally provisioncomputing capabilities, such as server time and network storage, asneeded automatically without requiring human interaction with theservice's provider.

Broad network access: capabilities are available over a network andaccessed through standard mechanisms that promote use by heterogeneousthin or thick client platforms (e.g., mobile phones, laptops, and PDAs).

Resource pooling: the provider's computing resources are pooled to servemultiple consumers using a multi-tenant model, with different physicaland virtual resources dynamically assigned and reassigned according todemand. There is a sense of location independence in that the consumergenerally has no control or knowledge over the exact location of theprovided resources but may be able to specify location at a higher levelof abstraction (e.g., country, state, or datacenter).

Rapid elasticity: capabilities can be rapidly and elasticallyprovisioned, in some cases automatically, to quickly scale out andrapidly released to quickly scale in. To the consumer, the capabilitiesavailable for provisioning often appear to be unlimited and can bepurchased in any quantity at any time.

Measured service: cloud systems automatically control and optimizeresource use by leveraging a metering capability at some level ofabstraction appropriate to the type of service (e.g., storage,processing, bandwidth, and active user accounts). Resource usage can bemonitored, controlled, and reported providing transparency for both theprovider and consumer of the utilized service.

Service Models are as follows:

Software as a Service (SaaS): the capability provided to the consumer isto use the provider's applications running on a cloud infrastructure.The applications are accessible from various client circuits through athin client interface such as a web browser (e.g., web-based e-mail).The consumer does not manage or control the underlying cloudinfrastructure including network, servers, operating systems, storage,or even individual application capabilities, with the possible exceptionof limited user-specific application configuration settings.

Platform as a Service (Paas): the capability provided to the consumer isto deploy onto the cloud infrastructure consumer-created or acquiredapplications created using programming languages and tools supported bythe provider. The consumer does not manage or control the underlyingcloud infrastructure including networks, servers, operating systems, orstorage, but has control over the deployed applications and possiblyapplication hosting environment configurations.

Infrastructure as a Service (IaaS): the capability provided to theconsumer is to provision processing, storage, networks, and otherfundamental computing resources where the consumer is able to deploy andrun arbitrary software, which can include operating systems andapplications. The consumer does not manage or control the underlyingcloud infrastructure but has control over operating systems, storage,deployed applications, and possibly limited control of select networkingcomponents (e.g., host firewalls).

Deployment Models are as follows:

Private cloud: the cloud infrastructure is operated solely for anorganization. It may be managed by the organization or a third party andmay exist on-premises or off-premises.

Community cloud: the cloud infrastructure is shared by severalorganizations and supports a specific community that has shared concerns(e.g., mission, security requirements, policy, and complianceconsiderations). It may be managed by the organizations or a third partyand may exist on-premises or off premises.

Public cloud: the cloud infrastructure is made available to the generalpublic or a large industry group and is owned by an organization sellingcloud services.

Hybrid cloud: the cloud infrastructure is a composition of two or moreclouds (private, community, or public) that remain unique entities butare bound together by standardized or proprietary technology thatenables data and application portability (e.g., cloud bursting forload-balancing between clouds).

A cloud computing environment is service oriented with a focus onstatelessness, low coupling, modularity, and semantic interoperability.At the heart of cloud computing is an infrastructure comprising anetwork of interconnected nodes.

Referring now to FIG. 2, a schematic of an example of a cloud computingnode is shown. Cloud computing node 10 is only one example of a suitablenode and is not intended to suggest any limitation as to the scope ofuse or functionality of embodiments of the invention described herein.Regardless, cloud computing node 10 is capable of being implementedand/or performing any of the functionality set forth herein.

Although cloud computing node 10 is depicted as a computer system/server12, it is understood to be operational with numerous other generalpurpose or special purpose computing system environments orconfigurations. Examples of well-known computing systems, environments,and/or configurations that may be suitable for use with computersystem/server 12 include, but are not limited to, personal computersystems, server computer systems, thin clients, thick clients, hand-heldor laptop circuits, multiprocessor systems, microprocessor-basedsystems, set top boxes, programmable consumer electronics, network PCs,minicomputer systems, mainframe computer systems, and distributed cloudcomputing environments that include any of the above systems orcircuits, and the like.

Computer system/server 12 may be described in the general context ofcomputer system-executable instructions, such as program modules, beingexecuted by a computer system. Generally, program modules may includeroutines, programs, objects, components, logic, data structures, and soon that perform particular tasks or implement particular abstract datatypes. Computer system/server 12 may be practiced in distributed cloudcomputing environments where tasks are performed by remote processingcircuits that are linked through a communications network. In adistributed cloud computing environment, program modules may be locatedin both local and remote computer system storage media including memorystorage circuits.

Referring now to FIG. 2, a computer system/server 12 is shown in theform of a general-purpose computing circuit. The components of computersystem/server 12 may include, but are not limited to, one or moreprocessors or processing units 16, a system memory 28, and a bus 18 thatcouples various system components including system memory 28 toprocessor 16.

Bus 18 represents one or more of any of several types of bus structures,including a memory bus or memory controller, a peripheral bus, anaccelerated graphics port, and a processor or local bus using any of avariety of bus architectures. By way of example, and not limitation,such architectures include Industry Standard Architecture (ISA) bus,Micro Channel Architecture (MCA) bus, Enhanced ISA (EISA) bus, VideoElectronics Standards Association (VESA) local bus, and PeripheralComponent Interconnects (PCI) bus.

Computer system/server 12 typically includes a variety of computersystem readable media. Such media may be any available media that isaccessible by computer system/server 12, and it includes both volatileand non-volatile media, removable and non-removable media.

System memory 28 can include computer system readable media in the formof volatile memory, such as random access memory (RAM) 30 and/or cachememory 32. Computer system/server 12 may further include otherremovable/non-removable, volatile/non-volatile computer system storagemedia. By way of example only, storage system 34 can be provided forreading from and writing to a non-removable, non-volatile magnetic media(not shown and typically called a “hard drive”). Although not shown, amagnetic disk drive for reading from and writing to a removable,non-volatile magnetic disk (e.g., a “floppy disk”), and an optical diskdrive for reading from or writing to a removable, non-volatile opticaldisk such as a CD-ROM, DVD-ROM or other optical media can be provided.In such instances, each can be connected to bus 18 by one or more datamedia interfaces. As will be further described below, memory 28 mayinclude a computer program product storing one or program modules 42comprising computer readable instructions configured to carry out one ormore features of the present invention.

Program/utility 40, having a set (at least one) of program modules 42,may be stored in memory 28 by way of example, and not limitation, aswell as an operating system, one or more application programs, otherprogram modules, and program data. Each of the operating system, one ormore application programs, other program modules, and program data orsome combination thereof, may be adapted for implementation in anetworking environment. In some embodiments, program modules 42 areadapted to generally carry out one or more functions and/ormethodologies of the present invention.

Computer system/server 12 may also communicate with one or more externaldevices 14 such as a keyboard, a pointing circuit, other peripherals,such as display 24, etc., and one or more components that facilitateinteraction with computer system/server 12. Such communication can occurvia Input Output (I/O) interface 22, and/or any circuits (e.g., networkcard, modem, etc.) that enable computer system/server 12 to communicatewith one or more other computing circuits. For example, computersystem/server 12 can communicate with one or more networks such as alocal area network (LAN), a general wide area network (WAN), and/or apublic network (e.g., the Internet) via network adapter 20. As depicted,network adapter 20 communicates with the other components of computersystem/server 12 via bus 18. It should be understood that although notshown, other hardware and/or software components could be used inconjunction with computer system/server 12. Examples, include, but arenot limited to: microcode, circuit drivers, redundant processing units,external disk drive arrays, RAID systems, tape drives, and data archivalstorage systems, etc.

Referring now to FIG. 3, illustrative cloud computing environment 50 isdepicted. As shown, cloud computing environment 50 comprises one or morecloud computing nodes 10 with which local computing circuits used bycloud consumers, such as, for example, personal digital assistant (PDA)or cellular telephone 54A, desktop computer 54B, laptop computer 54C,and/or automobile computer system 54N may communicate. Nodes 10 maycommunicate with one another. They may be grouped (not shown) physicallyor virtually, in one or more networks, such as Private, Community,Public, or Hybrid clouds as described hereinabove, or a combinationthereof. This allows cloud computing environment 50 to offerinfrastructure, platforms and/or software as services for which a cloudconsumer does not need to maintain resources on a local computingcircuit. It is understood that the types of computing circuits 54A-Nshown in FIG. 3 are intended to be illustrative only and that computingnodes 10 and cloud computing environment 50 can communicate with anytype of computerized circuit over any type of network and/or networkaddressable connection (e.g., using a web browser).

Referring now to FIG. 4, an exemplary set of functional abstractionlayers provided by cloud computing environment 50 (FIG. 3) is shown. Itshould be understood in advance that the components, layers, andfunctions shown in FIG. 4 are intended to be illustrative only andembodiments of the invention are not limited thereto. As depicted, thefollowing layers and corresponding functions are provided:

Hardware and software layer 60 includes hardware and softwarecomponents. Examples of hardware components include: mainframes 61; RISC(Reduced Instruction Set Computer) architecture based servers 62;servers 63; blade servers 64; storage circuits 65; and networks andnetworking components 66. In some embodiments, software componentsinclude network application server software 67 and database software 68.

Virtualization layer 70 provides an abstraction layer from which thefollowing examples of virtual entities may be provided: virtual servers71; virtual storage 72; virtual networks 73, including virtual privatenetworks; virtual applications and operating systems 74; and virtualclients 75.

In one example, management layer 80 may provide the functions describedbelow. Resource provisioning 81 provides dynamic procurement ofcomputing resources and other resources that are utilized to performtasks within the cloud computing environment. Metering and Pricing 82provide cost tracking as resources are utilized within the cloudcomputing environment, and billing or invoicing for consumption of theseresources. In one example, these resources may comprise applicationsoftware licenses. Security provides identity verification for cloudconsumers and tasks, as well as protection for data and other resources.User portal 83 provides access to the cloud computing environment forconsumers and system administrators. Service level management 84provides cloud computing resource allocation and management such thatrequired service levels are met. Service Level Agreement (SLA) planningand fulfillment 85 provide pre-arrangement for, and procurement of,cloud computing resources for which a future requirement is anticipatedin accordance with an SLA.

Workloads layer 90 provides examples of functionality for which thecloud computing environment may be utilized. Examples of workloads andfunctions which may be provided from this layer include: mapping andnavigation 91; software development and lifecycle management 92; virtualclassroom education delivery 93; data analytics processing 94;transaction processing 95; and, more particularly relative to thepresent invention, the policy violation detection method 100.

The present invention may be a system, a method, and/or a computerprogram product at any possible technical detail level of integration.The computer program product may include a computer readable storagemedium (or media) having computer readable program instructions thereonfor causing a processor to carry out aspects of the present invention.

The computer readable storage medium can be a tangible device that canretain and store instructions for use by an instruction executiondevice. The computer readable storage medium may be, for example, but isnot limited to, an electronic storage device, a magnetic storage device,an optical storage device, an electromagnetic storage device, asemiconductor storage device, or any suitable combination of theforegoing. Anon-exhaustive list of more specific examples of thecomputer readable storage medium includes the following: a portablecomputer diskette, a hard disk, a random access memory (RAM), aread-only memory (ROM), an erasable programmable read-only memory (EPROMor Flash memory), a static random access memory (SRAM), a portablecompact disc read-only memory (CD-ROM), a digital versatile disk (DVD),a memory stick, a floppy disk, a mechanically encoded device such aspunch-cards or raised structures in a groove having instructionsrecorded thereon, and any suitable combination of the foregoing. Acomputer readable storage medium, as used herein, is not to be construedas being transitory signals per se, such as radio waves or other freelypropagating electromagnetic waves, electromagnetic waves propagatingthrough a waveguide or other transmission media (e.g., light pulsespassing through a fiber-optic cable), or electrical signals transmittedthrough a wire.

Computer readable program instructions described herein can bedownloaded to respective computing/processing devices from a computerreadable storage medium or to an external computer or external storagedevice via a network, for example, the Internet, a local area network, awide area network and/or a wireless network. The network may comprisecopper transmission cables, optical transmission fibers, wirelesstransmission, routers, firewalls, switches, gateway computers and/oredge servers. A network adapter card or network interface in eachcomputing/processing device receives computer readable programinstructions from the network and forwards the computer readable programinstructions for storage in a computer readable storage medium withinthe respective computing/processing device.

Computer readable program instructions for carrying out operations ofthe present invention may be assembler instructions,instruction-set-architecture (ISA) instructions, machine instructions,machine dependent instructions, microcode, firmware instructions,state-setting data, configuration data for integrated circuitry, oreither source code or object code written in any combination of one ormore programming languages, including an object oriented programminglanguage such as Smalltalk, C++, or the like, and procedural programminglanguages, such as the “C” programming language or similar programminglanguages. The computer readable program instructions may executeentirely on the user's computer, partly on the user's computer, as astand-alone software package, partly on the user's computer and partlyon a remote computer or entirely on the remote computer or server. Inthe latter scenario, the remote computer may be connected to the user'scomputer through any type of network, including a local area network(LAN) or a wide area network (WAN), or the connection may be made to anexternal computer (for example, through the Internet using an InternetService Provider). In some embodiments, electronic circuitry including,for example, programmable logic circuitry, field-programmable gatearrays (FPGA), or programmable logic arrays (PLA) may execute thecomputer readable program instructions by utilizing state information ofthe computer readable program instructions to personalize the electroniccircuitry, in order to perform aspects of the present invention.

Aspects of the present invention are described herein with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems), and computer program products according to embodiments of theinvention, it will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer readable program instructions.

These computer readable program instructions may be provided to aprocessor of a general purpose computer, special purpose computer, orother programmable data processing apparatus to produce a machine, suchthat the instructions, which execute via the processor of the computeror other programmable data processing apparatus, create means forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks. These computer readable program instructionsmay also be stored in a computer readable storage medium that can directa computer, a programmable data processing apparatus, and/or otherdevices to function in a particular manner, such that the computerreadable storage medium having instructions stored therein comprises anarticle of manufacture including instructions which implement aspects ofthe function/act specified in the flowchart and/or block diagram blockor blocks.

The computer readable program instructions may also be loaded onto acomputer, other programmable data processing apparatus, or other deviceto cause a series of operational steps to be performed on the computer,other programmable apparatus or other device to produce a computerimplemented process, such that the instructions which execute on thecomputer, other programmable apparatus, or other device implement thefunctions/acts specified in the flowchart and/or block diagram block orblocks.

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods, and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof instructions, which comprises one or more executable instructions forimplementing the specified logical function(s). In some alternativeimplementations, the functions noted in the blocks may occur out of theorder noted in the Figures. For example, two blocks shown in successionmay, in fact, be executed substantially concurrently, or the blocks maysometimes be executed in the reverse order, depending upon thefunctionality involved. It will also be noted that each block of theblock diagrams and/or flowchart illustration, and combinations of blocksin the block diagrams and/or flowchart illustration, can be implementedby special purpose hardware-based systems that perform the specifiedfunctions or acts or carry out combinations of special purpose hardwareand computer instructions.

The descriptions of the various embodiments of the present inventionhave been presented for purposes of illustration, but are not intendedto be exhaustive or limited to the embodiments disclosed. Manymodifications and variations will be apparent to those of ordinary skillin the art without departing from the scope and spirit of the describedembodiments. The terminology used herein was chosen to best explain theprinciples of the embodiments, the practical application or technicalimprovement over technologies found in the marketplace, or to enableothers of ordinary skill in the art to understand the embodimentsdisclosed herein.

Further, Applicant's intent is to encompass the equivalents of all claimelements, and no amendment to any claim of the present applicationshould be construed as a disclaimer of any interest in or right to anequivalent of any element or feature of the amended claim.

What is claimed is:
 1. A computer-implemented policy violation detectionmethod, the method comprising: extracting a policy activity from apolicy that is in a natural language, the policy activity including anactor in the policy, an object within the policy, an action of thepolicy, and policy scope metadata, the object being a tangible, physicalobject; capturing a transaction consisting of a purchase or registrationby a user including metadata of the transaction; translating thetransaction by the user into a natural language representation of anactor in the transaction, an action of the transaction, and an object ofthe transaction; and alerting the user of a policy violation by runninga rule-based inference model with an is-a hierarchy to predict that aportion of the policy activity is violated by a future action with theobject of the transaction by the user based on navigating the is-ahierarchy to compare the natural language representation of thetransaction with the natural language of the policy to alert of thepolicy violation from each of: the actor in the transaction to the actorin the policy; the object of the transaction to the object of thepolicy; and the action of the transaction to the action of the policyactivity, wherein the is-a hierarchy is created with an unsupervisedlearning method that utilizes distributional semantics, and wherein theis-a hierarchy has relationships and synonyms encoded between a generalterm and a specific term of the object, wherein the rule-based inferencemodel uses the encoded relationships and synonyms to determine theviolation, wherein the alerting alerts a user via a notification on auser device, and wherein a user profile on the user device toggles alertsettings for privacy.
 2. The method of claim 1, wherein the rule-basedinference model includes: an inference rule to check the object againstthe policy if an object is acquired; an inference rule to check if theaction enables a second action that can violate the policy in the futureif the user does the action without the object; and an inference rulebased on if the user changes the object or changes a state of the objectthat can violate the policy in the future.
 3. The computer-implementedmethod of claim 1, further comprising filtering and ranking relevantsub-policies in the policy by a criticality level of the policyviolation when the alerting alerts the user of a plurality of policyviolations.
 4. The computer-implemented method of claim 1, wherein thealerting the user of the policy violation alerts at least one of theuser, a friend of the user, a party to the transaction, a party to thepolicy, an owner of the transaction, and an owner of the policy.
 5. Thecomputer-implemented method of claim 1, wherein the alertingcommunicates the activity causing the policy violation to the user if aknowledge graph indicates that a specific type of the object is of agiven type, wherein the given type comprises a known classification of astring of tokens, wherein the given type is in a graph, wherein thegraph is selected from a group consisting of: Wordnet; Freebase; andYago.
 6. The computer-implemented method of claim 1, wherein the action,the object, and the actor in the transaction are stated in naturallanguage where the action comprises a verb or a verb phrase of asentence, the object comprises a noun or a noun phrase object of thesentence, and the actor comprises a noun or a noun phrase subject of thesentence.
 7. The computer-implemented method of claim 1, embodied in acloud-computing environment.
 8. The method of claim 1, wherein thepolicy scope metadata determines whether the capturing is turned on orturned off.
 9. The method of claim 1, wherein the extracting extracts asecond policy activity from a second policy and merges the second policywith the first policy to create a single policy, and wherein a secondactor is paired with the object in the policy with the second actorbeing unique from the actor in the policy such that the policy has adifferent action for the second actor than the actor.
 10. A computerprogram product for policy violation detection, the computer programproduct comprising a computer-readable storage medium having programinstructions embodied therewith, the program instructions executable bya device to cause the device to perform: extracting a policy activityfrom a policy that is in a natural language, the policy activityincluding an actor in the policy, an object within the policy, an actionof the policy, and policy scope metadata, the object being a tangible,physical object; capturing a transaction consisting of a purchase orregistration by a user including metadata of the transaction;translating the transaction by the user into a natural languagerepresentation of an actor in the transaction, an action of thetransaction, and an object of the transaction; and alerting the user ofa policy violation by running a rule-based inference model with an is-ahierarchy to predict that a portion of the policy activity is violatedby a future action with the object of the transaction by the user basedon navigating the is-a hierarchy to compare the natural languagerepresentation of the transaction with the natural language of thepolicy to alert of the policy violation from each of: the actor in thetransaction to the actor in the policy; the object of the transaction tothe object of the policy; and the action of the transaction to theaction of the policy activity, wherein the is-a hierarchy is createdwith an unsupervised learning method that utilizes distributionalsemantics, and wherein the is-a hierarchy has relationships and synonymsencoded between a general term and a specific term of the object,wherein the rule-based inference model uses the encoded relationshipsand synonyms to determine the violation, wherein the alerting alerts auser via a notification on a user device, and wherein a user profile onthe user device toggles alert settings for privacy.
 11. The computerprogram product of claim 10, wherein the rule-based inference modelincludes: an inference rule to check the object against the policy if anobject is acquired; an inference rule to check if the action enables asecond action that can violate the policy in the future if the user doesthe action without the object; and an inference rule based on if theuser changes the object or changes a state of the object that canviolate the policy in the future.
 12. The computer program product ofclaim 10, further comprising filtering and ranking relevant sub-policiesin the policy by a criticality level of the policy violation when thealerting alerts the user of a plurality of policy violations.
 13. Thecomputer program product of claim 10, wherein the alerting the user ofthe policy violation alerts at least one of the user, a friend of theuser, a party to the transaction, a party to the policy, an owner of thetransaction, and an owner of the policy.
 14. The computer programproduct of claim 10, wherein the alerting communicates the activitycausing the policy violation to the user if a knowledge graph indicatesthat a specific type of the object is of a given type, wherein the giventype comprises a known classification of a string of tokens, wherein thegiven type is in a graph, wherein the graph is selected from a groupconsisting of: Wordnet; Freebase; and Yago.
 15. The computer programproduct of claim 10, wherein the action, the object, and the actor inthe transaction are stated in natural language where the actioncomprises a verb or a verb phrase of a sentence, the object comprises anoun or a noun phrase object of the sentence, and the actor comprises anoun or a noun phrase subject of the sentence.
 16. A policy violationdetection system, said system comprising: a processor; and a memory, thememory storing instructions to cause the processor to perform:extracting a policy activity from a policy that is in a naturallanguage, the policy activity including an actor in the policy, anobject within the policy, an action of the policy, and policy scopemetadata, the object being a tangible, physical object; capturing atransaction consisting of a purchase or registration by a user includingmetadata of the transaction; translating the transaction by the userinto a natural language representation of an actor in the transaction,an action of the transaction, and an object of the transaction; andalerting the user of a policy violation by running a rule-basedinference model with an is-a hierarchy to predict that a portion of thepolicy activity is violated by a future action with the object of thetransaction by the user based on navigating the is-a hierarchy tocompare the natural language representation of the transaction with thenatural language of the policy to alert of the policy violation fromeach of: the actor in the transaction to the actor in the policy; theobject of the transaction to the object of the policy; and the action ofthe transaction to the action of the policy activity, wherein the is-ahierarchy is created with an unsupervised learning method that utilizesdistributional semantics, and wherein the is-a hierarchy hasrelationships and synonyms encoded between a general term and a specificterm of the object, wherein the rule-based inference model uses theencoded relationships and synonyms to determine the violation, whereinthe alerting alerts a user via a notification on a user device, andwherein a user profile on the user device toggles alert settings forprivacy.
 17. The system of claim 16, wherein the rule-based inferencemodel includes: an inference rule to check the object against the policyif an object is acquired; an inference rule to check if the actionenables a second action that can violate the policy in the future if theuser does the action without the object; and an inference rule based onif the user changes the object or changes a state of the object that canviolate the policy in the future.
 18. The system of claim 17, embodiedin a cloud-computing environment.